Commit a047e3be authored by segfault's avatar segfault

Store admin password hashed and salted instead of in cleartext (refs: #17135)

By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.

PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.
parent 6ee4ba04
......@@ -132,7 +132,7 @@ if [ -z "${TAILS_USER_PASSWORD}" ] ; then
fi
# Sets the password
echo "${LIVE_USERNAME}:${TAILS_USER_PASSWORD}" | chpasswd
echo "${LIVE_USERNAME}:${TAILS_USER_PASSWORD}" | chpasswd -e
# Add sudoers entry
echo "${LIVE_USERNAME} ALL = (ALL) ALL" >> "${SUDOERS}"
......
import os
import os.path
import logging
import pipes
import subprocess
import tailsgreeter.config
from tailsgreeter.settings.utils import read_settings, write_settings
......@@ -17,8 +17,16 @@ class AdminSetting(object):
def apply_to_upcoming_session(self):
if self.password:
proc = subprocess.run(
["mkpasswd", "-s", "--method=sha512crypt"],
input=pipes.quote(self.password).encode(),
capture_output=True,
check=True,
)
hashed_and_salted_pw = proc.stdout.decode().strip()
write_settings(self.settings_file, {
'TAILS_USER_PASSWORD': pipes.quote(self.password),
'TAILS_USER_PASSWORD': pipes.quote(hashed_and_salted_pw),
})
logging.debug('password written to %s', self.settings_file)
return
......
......@@ -3,7 +3,8 @@ tails-installer
whisperback
# profiling => squashfs optimization
python3-pyinotify
# contains mkpasswd, needed in chroot_local-hooks/01-password
# contains mkpasswd, needed in chroot_local-hooks/01-password and for
# setting the admin password in chroot_local-includes/etc/gdm3/PostLogin/Default
whois
# needed in chroot_local-includes/etc/NetworkManager/dispatcher.d/50-htp.sh
bind9-host
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment